b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n           REPORT TO CONGRESS\n\n        April 1, 2003 \xe2\x80\x93 September 30, 2003\n\x0cOIG Semiannual Report                                                       September 2003\n\n\n\n\n              INSPECTOR GENERAL\'S MESSAGE TO\n             THE NCUA BOARD AND THE CONGRESS\n\nIt is my pleasure to submit this semiannual report on the accomplishments of the\nNational Credit Union Administration (NCUA) Office of the Inspector General\n(OIG) for the six- month period ending September 30, 2003. While this report\nsummarizes the major activities of the OIG during this reporting period, it is my\nhope that the renewed vigor and focus that the OIG has strived to achieve is\nlikewise reflected in our reported accomplishments.\n\nThe OIG\xe2\x80\x99s values-driven approach to the challenges and issues it faced during this\nreporting period was developed during a strategic planning conference we\nconvened shortly after I was appointed Inspector General last year. In addition to\nplanning significant projects for 2003, that conference emphasized an invigoration\nof our sense of excellence, innovation, and integrity\xe2\x80\x94both to our statutory\nresponsibilities under the Inspector General Act of 1978, as amended, as well as\nto promoting improvements within the agency. Accordingly, during the last\nreporting period we implemented significant structural and policy changes within\nthe OIG, and relied upon those changes to infuse our audit and investigative work\nwith renewed professionalism and a more profound sense of leadership.\n\nWhile we continued to emphasize our independent voice within NCUA and to the\nCongress by identifying opportunities and promoting solutions for improved\nperformance of NCUA programs, we also focused on clarification and mutual\nunderstanding of our unique role within the agency. Accordingly, we devoted\nsignificant time during this reporting period to working with agency management\nat all levels to substantially revise an agency- issued directive covering all matters\nthat must be reported to the OIG, as well as the OIG\xe2\x80\x99s responsibilities in hand ling\nthose investigative matters. The end result of that cooperative effort was a\ndirective that clarified the roles and responsibilities of all employees and that shed\nlight on the OIG\xe2\x80\x99s statutory responsibilities and how it fulfills them.\n\nMoreover, by continuing to focus on our efforts to integrate the agency\xe2\x80\x99s goals\nand challenges with our statutory mission, we completed a review of NCUA\xe2\x80\x99s\nprocess for dealing with credit union member complaints and, again working in\ntandem with agency management, refined and clarified existing procedures to\nmore closely align with applicable law and regulations and render the process\nmore effective and efficient.\n\n\n                                          i\n\x0cOIG Semiannual Report                                                   September 2003\n\n\n\nFinally, as this report marks the completion of my first year as NCUA\xe2\x80\x99s Inspector\nGeneral, I would like to thank the NCUA Board and my dedicated staff for their\nsupport, hard work and cooperation. I would also like to extend my gratitude to\nPresident Bush and the Congress for their recent recognition of the 25th\nanniversary of the IG Act. Of particular note, it was my great pleasure and honor\nto meet, together with my fellow inspectors general, with the President on\nOctober 14, 2003. Our dialog and his words of encouragement and support for\nthe IG community were truly an inspiration.\n\n\n\n\n                               Herbert S. Yolles\n                               Inspector General\n\n\n\n\n                                       ii\n\x0cOIG Semiannual Report                                                                                       September 2003\n\n\n                                             TABLE OF CONTENTS\n\nINSPECTOR GENERAL\xe2\x80\x99S MESSAGE\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                                i\n\nNCUA AND OFFICE OF INSPECTOR GENERAL MISSION STATEMENTS\xe2\x80\xa6...                                                                    1\n\nINTRODUCTION\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                                                                       2\n\nNCUA ORGANIZATION CHART\xe2\x80\xa6\xe2\x80\xa6...\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                                4\n\nNCUA HIGHLIGHTS\xe2\x80\xa6...............................................................................................                5\n\nFEDERALLY INSURED CREDIT UNION HIGHLIGHTS.......................................                                               7\n\nLEGISLATIVE HIGHLIGHTS....................................................................................                     8\n\nOFFICE OF THE INSPECTOR GENERAL................................................................                                10\n\n          Audit Activity....................................................................................................   11\n\n          Investigative Activity\xe2\x80\xa6\xe2\x80\xa6.................................................................................            16\n\n          Legislative and Regulatory Reviews\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.....................................................                           19\n\nTABLE I \xe2\x80\x93 REPORTS WITH QUESTIONED COSTS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...................                                                              21\n\nTABLE II \xe2\x80\x93 REPORTS WITH RECOMMENDATIONS THAT FUNDS BE PUT\nTO BETTER USE.........................................................................................................         22\n\nTABLE III \xe2\x80\x93 SUMMARY OF OIG ACTIVITY...........................................................                                 23\n\nINDEX OF REPORTING REQUIREMENTS\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6..                                                                               24\n\x0cOIG Semiannual Report                                  September 2003\n\n\n                        MISSION STATEMENTS\n\n\n\n\n                          THE NCUA MISSION\nOUR CHARGE IS TO FOSTER THE SAFETY AND SOUNDNESS OF FEDERALLY INSURED\nCREDIT UNIONS AND TO BETTER ENABLE THE CREDIT UNION COMMUNITY TO EXTEND\nAVAILABILITY OF FINANCIAL SERVICES FOR PROVIDENT AND PRODUCTIVE PURPOSES\nTO ALL WHO SEEK SUCH SERVICE, WHILE RECOGNIZING AND ENCOURAGING THE\nHISTORICAL EMPHASIS BY CREDIT UNIONS ON EXTENSION OF FINANCIAL SERVICES TO\nTHOSE OF MODEST MEANS.\n\nWE DO THIS BY MANAGING THE SHARE INSURANCE FUND IN AN EFFICIENT AND\nPRUDENT MANNER AND ESTABLISHING A REGULATORY ENVIRONMENT THAT\nENCOURAGES INNOVATION, FLEXIBILITY, AND CONTINUED FOCUS ON ATTRACTING\nNEW MEMBERS AND IMPROVING FINANCIAL SERVICE TO EXISTING MEMBERS.\n\n\n\n\n            THE OFFICE OF INSPECTOR GENERAL MISSION\nTHE OIG PROMOTES THE ECONOMY, EFFICIENCY, AND EFFECTIVENESS OF NCUA\nPROGRAMS AND OPERATIONS, AND DETECTS AND DETERS FRAUD, WASTE, AND ABUSE,\nTHEREBY SUPPORTING NCUA\xe2\x80\x99S MISSION OF MONITORING AND PROMOTING SAFE AND\nSOUND FEDERALLY INSURED CREDIT UNIONS.\n\nWE ACCOMPLISH OUR MISSION BY CONDUCTING INDEPENDENT AUDITS,\nINVESTIGATIONS, AND OTHER ACTIVITES, AND BY KEEPING THE NCUA BOARD AND THE\nCONGRESS FULLY AND CURRENTLY INFORMED OF OUR WORK.\n\n\n\n\n                                    1\n\x0cOIG Semiannual Report                                                      September 2003\n\n\n                                 INTRODUCTION\n\n\nT\n       he National Credit Union Administration (NCUA) was established as an\n       independent, federal regulatory agency on March 10, 1970. The agency is\n       responsible for chartering, examining, supervising, and insuring federal credit\n       unions. It also insures state-chartered credit unions that have applied for insurance\nand have met National Credit Union Share Insurance requirements. NCUA is funded by\nthe credit unions it supervises and insures. As of June 30, 2003, the NCUA was\nsupervising and insuring 5,864 federal credit unions and insuring 3,665 state-chartered\ncredit unions, a total of 9,529 institutions. This represents a loss of 89 federal and 70\nstate-chartered institutions since December 31, 2002, for a total loss of 159 credit unions\nnationwide.\n\n\n                              Federally Insured Credit Unions\n\n\n\n     12000\n     10000\n               4257    4180     4062\n       8000                             3980     3866   3735     3665\n       6000                                                                       FISCUs\n       4000 6981                                                                  FCUs\n                       6815     6566    6336     6118   5953     5864\n       2000\n           0\n               1997    1998     1999    2000     2001   2002     2003\n\nNCUA operates under the direction of a Board composed of three members. Board\nmembers are appointed by the President and confirmed by the Senate. They serve six-\nyear terms. Terms are staggered, so that one term expires every two years. The Board is\nresponsible for the management of the National Credit Union Administration, including\nthe NCUA Operating Fund, the Share Insurance Fund, the Central Liquidity Facility, and\nthe Community Development Revolving Loan Fund.\n\nThe National Credit Union Administration executes its program through its central office\nin Alexandria, Virginia and regional offices in Albany, New York; Alexandria, Virginia;\nAtlanta, Georgia; Lisle, Illinois; Austin, Texas; and Concord, California. NCUA also\noperates the Asset Management and Assistance Center (AMAC) in Austin, Texas. Please\nrefer to the NCUA organizational chart on page 4.\n\nThe NCUA Board adopted its 2003 budget on November 21, 2002. The final revised\n2003 budget of $146,079,711 represents a decrease of $887,750 from the 2002 budget.\nThe Full Time Equivalent (FTE) staffing authorization for 2003 is 971, a reduction of 24\npositions over the 2002 total of 995.\n\n\n                                             2\n\x0cOIG Semiannual Report                                                  September 2003\n\n\n\n                                      NCUA Budget Dollars\n\n       Millions\n           160\n           140\n           120\n           100\n            80\n            60\n            40\n            20\n             0\n                   1997      1998      1999       2000   2001   2002   2003\n\n\n\n\n                                    NCUA Authorized Staff\n\n    1200\n\n    1000\n\n     800\n\n     600\n\n     400\n\n     200\n\n       0\n            1997          1998       1999     2000       2001   2002     2003\n\n\n\n\n                                              3\n\x0cOIG Semiannual Report                      September 2003\n\n\n\n                 NCUA ORGANIZATION CHART\n\n\n\n\n                            4\n\x0cOIG Semiannual Report                                                    September 2003\n\n\n\n                             NCUA HIGHLIGHTS\n\nREVISIONS TO MEMBER BUSINESS LENDING REGULATION ADOPTED\n\nIn its open monthly meeting on September 24, 2003, the NCUA Board voted\nunanimously to issue revisions to the agency\xe2\x80\x99s member business lending rule for\nfederally insured credit unions.      The revised rule will allow federal credit unions\nincreased flexibility in making loans to small businesses. The rule comes after agency\nleadership formed an internal working group on member business lending and directed\nstaff to review the last several years of experience under NCUA\xe2\x80\x99s rule and comparable\nstate rules.\n\nGAO CALLS FOR FTC TO OVERSEE PRIVATELY INSURED CREDIT\nUNIONS\n\nIn a report issued on August 21, 2003, the General Accounting Office (GAO), noting that\nmany privately insured credit unions are not providing disclosures to consumers,\nsuggested that Congress consider clarifying the authority of the Federal Trade\nCommission (FTC) so that it can fulfill the oversight responsibility assigned it under the\n1991 thrift bailout law. The GAO report found that many privately insured credit unions\ndid not adequately disclose that they were not federally insured. NCUA Chairman\nDennis Dollar stated that he was pleased with the results of the GAO study, calling it\nthorough and consistent with NCUA\xe2\x80\x99s long- held position on the enforcement of certain\nconsumer protection rules.\n\nAMERICAN BANKERS ASSOCIATION BRINGS SUIT AGAINST NCUA\n\nOn July 5, 2003, the American Bankers Association (ABA), the Utah Bankers\nAssociation, and four individual banks, filed suit against the NCUA challenging the\nagency\xe2\x80\x99s approval of a Utah credit union\xe2\x80\x99s community-charter expansion and two federal\ncharter conversions. The plaintiffs contend that NCUA went outside its authority in\napproving the fields of membership conversion requests, claiming that the actions\nexceeded the law\xe2\x80\x99s definition of what constitutes a \xe2\x80\x9clocal community.\xe2\x80\x9d The statute in\nquestion, the 1998 Credit Union Membership Access Act, invests the NCUA Board with\nthe discretion to determine the specifics of \xe2\x80\x9clocal community.\xe2\x80\x9d\n\n\n\n\n                                            5\n\x0cOIG Semiannual Report                                                      September 2003\n\n\nNCUA RELEASES REALIGNMENT TRANSITION PLAN SUMMARY\n\nThe NCUA released a summary of its Realignment Transition Plan this past summer,\nproviding a timeline for the agency\xe2\x80\x99s transition from six regional offices to five, and the\nrelocation of its California office to Arizona. The realignment, announced initially in\nJanuary, is part of Chairman Dollar\xe2\x80\x99s \xe2\x80\x9cAccountability in Management\xe2\x80\x9d (AIM) initiative,\nan effort to increase agency efficiency.\n\nNCUA BOARD SETS FINAL RULE ON FOREIGN BRANCHING\n\nThe NCUA promulgated a new rule, effective July 1, 2003, that set requirements for\nfederally insured, non- military credit unions seeking to establish branch facilities outside\nthe United States. The rule addresses approval for the branch, its supervision, and federal\ninsurance for deposits in the branch. It also deals with the host foreign country\xe2\x80\x99s need for\ninput to the approval process.\n\nNCUA JOINS FEDERAL AGENCIES IN PUBLISHING CONSUMER\nBROCHURE ON PREDATORY LENDING\n\nThe Federal Interagency Task Force on Fair Lending, of which NCUA is a participant,\nhas published a new brochure--\xe2\x80\x9cPutting Your Home on the Loan Line is Risky\nBusiness\xe2\x80\x9d--that alerts consumers to potential borrowing pitfalls, including high-cost\nhome loans, and provides tips for getting the best financing deal possible.\n\n\n\n\n                                             6\n\x0cOIG Semiannual Report                                                     September 2003\n\n\n   FEDERALLY INSURED CREDIT UNION HIGHLIGHTS\n\n\nC\n       redit unions submit quarterly call reports (financial and operational data) to\n       NCUA. An NCUA staff assessment of the June 30, 2003, quarterly call reports\n       submitted by all federally insured credit unions found that virtually all key\n       financial indicators were stable.\n\nKEY FINANCIAL INDICATORS STABLE\n\nLooking at the June 30, 2003 quarterly statistics for major balance sheet items and key\nratios shows the following for the nation\xe2\x80\x99s 9,529 federally insured credit unions: assets\ngrew 7.6 percent, or $42.1 billion; net worth to assets ratio decreased from 10.7 percent\nto 10.5 percent; the loan to share ratio decreased from 70.8 percent to 67.9 percent; the\ndelinquency ratio decreased from .80 to .74 percent ; and credit union return on average\nassets decreased from 1.1 percent to 1.0 percent.\n\nSAVINGS INCREASED DURING THE FIRST SIX MONTHS OF 2003\n\nTotal share accounts increased 7.6 percent, or $37.0 billion; share drafts increased 10.5\npercent; regular shares increased 9.8 percent; share certificates increased 1.8 percent;\nmoney market shares grew 9.7 percent; IRA/KEOGH accounts grew 5.8 percent; and\nother shares increased 22.4 percent. However, non- member deposits decreased .8\npercent.\n\nLOANS AND INVESTMENTS ALSO INCREASED DURING 2003\n\nLoan growth of 3.3 percent resulted in an increase in total loans by $11.1 billion. First\nmortgage real estate loans increased $7.2 billion or 7.1 percent; used auto loans increased\n$5.1 billion or 7.0 percent; other real estate loans increased $300 million or .7 percent;\nunsecured credit card loans decreased $1.1 billion or 5.0 percent; all other unsecured\nloans decreased $700 million or 3.4 percent; new auto loans decreased $200 million or .3\npercent; leases receivable decreased $33.6 million or 2.2 percent; and all other loans\nincreased $600 million or 3.0 percent. First mortgage real estate loans are the largest\nsingle asset category with $107.9 billion accounting for 30.5 percent of all loans. Total\ninvestments increased $17.0 billion or 12.1 percent. All investment categories displayed\ngrowth. Investments in government securities of $84.7 billion account for 54 percent of\nall credit union investments.\n\n\n\n\n                                            7\n\x0cOIG Semiannual Report                                                     September 2003\n\n\n\n                       LEGISLATIVE HIGHLIGHTS\n\n\n\n\nFY 2004 APPROPRIATIONS UPDATE\n\nOn July 25, 2003, the House passed the Fiscal Year 2004 VA/HUD and Independent\nAgencie s Appropriations bill (H.R. 2861) by a vote of 316-109. Included in the bill is the\n$1.5 billion cap on the Central Liquidity Facility (CLF) fund and an allocation of $51\nmillion for the Community Development Financial Institutions fund. On September 4,\n2003, the Senate Appropriations Committee marked up its version of the VA/HUD\nAppropriations bill. Consistent with the House VA/HUD Appropriations bill, the Senate\nalso included $1.5 billion for the CLF. The Senate version further provided $1.5 million\nfor loans and technical assistance to community development credit unions and\nearmarked $700,000 for loans and $800,000 for technical assistance to low income, and\ncommunity development credit unions. These programs are all housed under the\nCommunity Development Revolving Loan Fund (CDRLF) program. The full Senate has\nyet to approve this measure.\n\nBANKRUPTCY CODE REFORM UPDATE\n\nLast year\xe2\x80\x99s bankruptcy bill, The Bankruptcy Abuse Prevention and Consumer Protection\nAct of 2003 (H.R. 975) was overwhelmingly passed by both the House and Senate,\nalthough controversial language in the legislation prevented a final vote. With regard to\ncredit unions, the reforms would preserve voluntary reaffirmation authority for credit\nunion members; provide a \xe2\x80\x9cmeans\xe2\x80\x9d test so those debtors who can repay some part of their\ndebt do so; establish mandatory debtor education programs; and contain a measure\ndealing with bilateral netting agreements for credit unions. With the controversial\nlanguage removed from the legislation, H.R. 975 was passed by the House and is now\nheaded for the Senate. Last year, more than 240,000 credit union members filed for\nbankruptcy. As non-profit financial cooperatives, credit unions are forced to pass on the\ncost of bankruptcy filings to other members in the form of higher interest rates on loans\nand lower dividend payments on share and share draft accounts.\n\n\n\n\n                                            8\n\x0cOIG Semiannual Report                                                      September 2003\n\n\nDEPOSIT INSURANCE REFORM LEGISLATION PENDING\n\nOn April 2, 2003, the House passed bill H.R. 522, which is intended to reform the deposit\ninsurance system. A second reform bill, S. 229, has been introduced in the Senate, but\nnot yet passed. Federal \xe2\x80\x9cdeposit\xe2\x80\x9d and \xe2\x80\x9cshare\xe2\x80\x9d insurance is provided only by the Federal\nDeposit Insurance Corporation (FDIC) and the National Credit Union Share Insurance\nFund (NCUSIF), respectively. The FDIC is currently managing separate funds for banks\nand thrifts, which the FDIC would like to merge into a single fund. Additionally, there is\nsome interest in increasing deposit insurance coverage above the current $100,000 level.\nThe legislation introduced in the 108th Congress proposes several structural changes in\nthe deposit insurance system for the FDIC, and proposes an increase in coverage levels\nfor both the FDIC and the NCUSIF.\n\nHOUSE AND SENATE CONFEREES FINISH NEGOTIATING CHECK\nTRUNCATION BILL\n\nCheck truncation legislation was introduced in Congress to transform the U.S. payment\nsystem from a physical one to an electronic one. \xe2\x80\x9cTruncation\xe2\x80\x9d means to remove an\noriginal paper share draft (check) from the collection or return process and in its place to\nsend a substitute share draft or, by agreement, information relating to the original share\ndraft (i.e., electronic image). While most credit unions have had \xe2\x80\x9ctruncated\xe2\x80\x9d share drafts\nsince 1974, current check truncation legislation would allow the process to occur earlier\nin the clearing system. The House and Senate Conferees finished negotiating the bill on\nOctober 1, 2003, and it is expected to be signed into law by the President in the near\nfuture.\n\n\n\n\n                                             9\n\x0cOIG Semiannual Report                                                  September 2003\n\n\n\n             OFFICE OF THE INSPECTOR GENERAL\n\n\nT     he Office of the Inspector General was established at the NCUA in 1989 under the\n      authority of the Inspector General Act of 1978, as amended in 1988. The staff\n      consists of the Inspector General, Deputy Inspector General for Audits, Counsel to\nthe Inspector General, Senior Special Agent, two Senior Auditors, Senior Information\nTechnology Auditor, and Office Manager.\n\nThe Inspector General reports to, and is under the general supervision of, the NCUA\nBoard. The Inspector General is responsible for:\n\n1. Conducting, supervising, and coordinating audits and investigations of all NCUA\n   programs and operations;\n\n2. Reviewing policies and procedures to ensure efficient and economic operations as\n   well as preventing and detecting fraud, waste, and abuse;\n\n3. Reviewing existing and proposed legislation and regulations to evaluate their impact\n   on the economic and efficient administration of agency programs; and\n\n4. Keeping the NCUA Board and the Congress apprised of significant findings and\n   recommendations.\n\n\n\n\n                                          10\n\x0cOIG Semiannual Report                                                      September 2003\n\n\n\n                                AUDIT ACTIVITY\nAUDIT REPORTS ISSUED\n\nIndependent Evaluation of NCUA\xe2\x80\x99s Information Security Program\nOIG-03-06 September 12, 2003\n\nThe Federal Information Security Management Act (FISMA) permanently reauthorized\nthe framework laid out in the Government Information Security Reform Act of 2000\n(GISRA) which expired in November 2002. FISMA continues annual review and\nreporting requirements introduced in GISRA.\n\nDuring 2003, the OIG engaged Cotton & Company LLP to conduct an independent\nevaluation of NCUA\xe2\x80\x99s information systems (IS) and security program and controls for\ncompliance with FISMA, Title III of the E-Government Act of 2002, and Office of\nManagement and Budget (OMB) Circular A-130, Appendix III. This report discusses the\neffectiveness of IS controls to protect and secure NCUA\'s information technology (IT)\ninfrastructure and assets.\n\nOverall, the evaluation determined that NCUA\xe2\x80\x99s information security program does not\nfully meet the minimum security requirements of OMB Circular A-130, Management of\nFederal Resources, Appendix III, Security of Federal Automated Information Resources\n(A-130). Two significant deficiencies exist in the NCUA IT infrastructure. First we\nnoted several weaknesses related to the underlying general support systems and network.\nThis is significant because every application relies on the security of the operating system\non which it resides. Therefore if the underlying operating systems are not secure, then\nthe applications themselves cannot be assured of being secure.\n\nSecond, we determined that information stored on examiners\xe2\x80\x99 laptop computers is not\nadequately secured. For example, examiners frequently store credit union member\npersonal financial information on their laptop computers. We noted during our review\nthat the examiner laptops and the information stored on the laptops were not considered\nin any system security plan or certification and accreditation document. In our judgment,\nthis information is quite sensitive and presents a significant security risk.\n\nWhile we noted other significant weaknesses in IT controls, we concluded the two\nconditions described above are the most significant to NCUA, and should be addressed as\nsoon as possible by NCUA\xe2\x80\x99s Executive Director and Chief Information Officer.\n\n\n\n\n                                            11\n\x0cOIG Semiannual Report                                                    September 2003\n\n\nOIG Report to OMB on NCUA Compliance With The Federal Information Security\nManagement Act 2003\nOIG-03-07 September 12, 2003\n\nThe OMB issued Fiscal Year 2003 Guidance on Annual Information Technology\nSecurity Reports on August 7, 2003. This guidance provided clarification to agencies for\nimplementing, meeting, and reporting FISMA requirements to OMB and the Congress.\nThis report contains a summary of our evaluation of the NCUA\xe2\x80\x99s information security\nprogram presented in the OMB prescribed format.\n\nThe OIG issued two reports during the past year that reported on the testing of the\neffectiveness of information security and internal controls:\n\n   \xe2\x80\xa2   On March 31, 2003, the OIG issued the Financial Statement Audit Report for the\n       year ended December 31, 2002. The purpose of this audit was to express an\n       opinion on whether the financial statements were fairly presented. In addition, the\n       internal control structure was reviewed and an evaluation of compliance with laws\n       and regulations was performed as part of the audit. The result of this audit was an\n       unqualified opinion, stating that the financial statements were presented fairly.\n       Although there were no material weaknesses identified during the review of the\n       internal control structures pertinent to financial reporting, eight recommendations\n       were made relating to weaknesses in the area of information security.\n\n   \xe2\x80\xa2   On September 12, 2003, the OIG issued a report containing an Independent\n       Evaluation of the NCUA\xe2\x80\x99s Information Security Program - 2003. The content of\n       the independent evaluation report supports the conclusions presented in this\n       report.\n\nIn October 2002, the Chief Information Officer identified and reported 167 weaknesses to\nOMB in the NCUA\xe2\x80\x99s Plans of Action and Milestones (POA&M) report. Additionally,\nthe independent evaluation supporting this report identified 12 new weaknesses and made\nspecific recommendations to address those weaknesses. The table below shows the\ncurrent status of the weaknesses, along with the new recommendations identified in the\nindependent evaluation.\n\n                     Description                           Number of Weaknesses\n  Reported in NCUA\xe2\x80\x99s FY 2002 POA&M                               167\n  Completed/Implemented Fully During FY 2003                      45\n  Partially Completed/Implemented                                 46\n  New Weaknesses                                                  12\n  FY 2002 Weaknesses Awaiting Implementation                      76\n  As of August, 2003\n\n\n\n\n                                           12\n\x0cOIG Semiannual Report                                                     September 2003\n\n\n\nReview of NCUA\xe2\x80\x99s Member Complaint Process\nOIG-03-08 September 25, 2003\n\nCongress has charged NCUA with enforcing a broad range of federal consumer laws and\nregulations in federally chartered credit unions and, in certain instances, state-chartered\ncredit unions. The NCUA is also required to report to Congress and other federal\nagencies on credit unions\xe2\x80\x99 compliance with certain of these laws and regulations. The\nagency regularly receives inquiries and complaints regarding consumer compliance\nissues from the public and credit union members throughout the nation. In addition, the\nagency receives inquiries and complaints on subjects other than federal consumer laws\nand regulations. During 2002, NCUA received approximately 2,000 inquiries and\ncomplaints, about half of which alleged violations of regulations or consumer laws.\n\nWe reviewed the NCUA member complaint process in order to: (1) gather information to\ndetermine the appropriate role for the agency; (2) evaluate the current process; and (3)\ncompare the current process with actions taken by four other federal financial institution\nregulators in their handling of inquiries and complaints.\n\nCurrent NCUA practice and guidance is for each regional office to respectively handle all\ncomplaints it receives\xe2\x80\x94those alleging regulatory and consumer compliance violations as\nwell as those that do not. While we identified a statutory requirement for NCUA\xe2\x80\x99s\ninvestigation of alleged violations of Federal consumer laws and regulations, we did not\nidentify a legal authority requiring NCUA to investigate or track complaints of a non-\nstatutory or non-regulatory nature. The NCUA\xe2\x80\x99s Office of Examination and Insurance\n(E&I), has agreed to revise the current agency Instruction (Instruction 12400.04,\nCompliance Activities: Complaint Handling and Documentation of Violations, dated\nSeptember 5, 2002) for handling member complaints so that it no longer requires tracking\nand monitoring of allegations that do not allege regulatory and consumer compliance\nviolations.\n\nOverall, we found that NCUA\xe2\x80\x99s six regional offices approached the task of handling\nmember complaints in a serious and responsible manner. We concluded that the NCUA\nregions are effective in identifying, processing, and monitoring non-regulatory\ncomplaints and that, overall, the process is working reasonably well in meeting credit\nunion members\xe2\x80\x99 needs in an effective and timely manner.\n\nOur report contains three recommendations for improving the national member complaint\nprocess. The NCUA Office of General Counsel (OGC), and the NCUA Office of\nExamination and Insurance (E&I) commented on our draft report. Both OGC and E&I\nconcurred with the report recommendations.\n\n\n\n\n                                            13\n\x0cOIG Semiannual Report                                                    September 2003\n\n\nManagement Advisory Report \xe2\x80\x93 King Street Parking Garage\nOIG-03-09 September 25, 2003\n\nThe OIG is currently reviewing the operation of NCUA\xe2\x80\x99s parking garage to (1) assess the\ninternal controls over the parking garage income and expenses; (2) determine whether\nNCUA is receiving its correct parking garage net income; and (3) assess the\nreasonableness of revenue variances and trends. In performing this review, we identified\na number of preliminary observations regarding the Parking Operations Agreement and\nthe Parking Management Agreement. We provided our preliminary observations to\nNCUA\xe2\x80\x99s Chief Financial Officer (CFO) in the form of a Management Advisory Report,\nin order to provide timely information to the CFO for making suggested revisions to the\nParking Operations and Management Agreements. We plan to issue a final report on the\nresults of our review at the conclusion of our detailed audit.\n\n\nAUDITS IN PROGRESS\n\nReview of NCUA\xe2\x80\x99s Parking Operations Agreement\n\nIt has been 10 years since NCUA originally entered into a parking lot operations\nagreement for management and operation of the parking garage located directly under the\nNCUA Central Office Building at 1775 Duke Street, Alexandria, Virginia. This review is\nfocusing on the controls in place to ensure the accurate reporting of revenue and expenses\nrelated to NCUA\xe2\x80\x99s parking spaces.\n\nReview of NCUA\xe2\x80\x99s Supervision of State Chartered Credit Unions\n\nThe objective of this review is to evaluate how NCUA supervises and monitors federally\ninsured, state chartered credit unions. This review will also evaluate how agreements are\nnegotiated between NCUA and the respective state supervisory authorities as well as the\nadequacy of the agreements regarding supervision and monitoring of federally insured\nstate chartered credit unions.\n\n\nSIGNIFICANT AUDIT RECOMMENDATIONS ON WHICH CORRECTIVE\nACTION HAS NOT BEEN COMPLETED\n\nAs part of the 2003 Independent Evaluation of the Information Security Program, the\nOIG verified implementation of recommendations made in the prior year\xe2\x80\x99s Independent\nEvaluation of NCUA\'s Information Security Program. The OIG was not provided with\nsufficient evidence to demonstrate implementation of all recommendations contained in\nthe prior evaluation.\n\nBased on the documentation provided, we could only validate 45 actions as completed\nand another 46 partially completed. We could not verify implementation of the\nremaining 76 recommendations because management informed us either that\n\n\n\n                                           14\n\x0cOIG Semiannual Report                                              September 2003\n\n\ndocumentation was unavailable or that a management decision had been made not to\nimplement a recommendation. We discussed with management the importance of\ndisclosing recommendations that management has decided not to implement. We\nrequested that management provide the OIG and agency head with analysis when these\ntypes of decisions are made.\n\n\n\n\n                                       15\n\x0cOIG Semiannual Report                                                    September 2003\n\n\n\n\n                        INVESTIGATIVE ACTIVITY\n\n      n accordance with professional standards and guidelines established by\n\n I    the Department of Justice, the OIG performs investigations of criminal,\n      civil, and administrative wrongdoing involving agency programs. Our\n      investigative jurisdiction focuses on activities designed to promote\neconomy, effectiveness, and efficiency, as well as fighting fraud, waste, and\nabuse in agency programs. In addition to our efforts to deter misconduct and\npromote integrity awareness among agency employees, we investigate referrals and direct\nreports of employee misconduct.         Investigations may involve possible violations of\nregulations regarding employee responsibilities and conduct, federal criminal law, and\nother statutes and regulations pertaining to the activities of NCUA employees.\n\nMoreover, we receive complaints from credit union members and officials that involve\nNCUA employee program responsibilities. We examine these complaints to determine\nwhether there is any allegation of NCUA employee misconduct. If not, we refer the\ncomplaint to the appropriate regional office for response, or close the matter if contact\nwith the regional office indicates that the complaint has already been appropriately\nhandled.\n\nDuring this reporting period, we worked closely with agency management at all levels to\nsubstantially revise an agency- issued directive that set forth employees\xe2\x80\x99 duties and\nresponsibilities for reporting misconduct to the OIG. The Inspector General introduced\nthe revised directive at a meeting of agency senior management and, in tandem with the\nDirector of Investigations, is planning further introductions of the directive at regional\noffices and various agency meetings during the next reporting period.\n\nAdditionally, as a result of OIG concern regarding the release and control of IG\ninvestigative reports and ensuing privacy concerns, the OIG entered into a Memorandum\nof Understanding (MOU) with the agency\xe2\x80\x99s Executive Director. The MOU addressed\ndistribution of investigative reports and use of the reports for administrative actions.\n\nAlso during this reporting period, we revised and significantly expanded the\ninvestigations manual. The policy revisions were done in accordance with industry\nstandards and standards established by the President\xe2\x80\x99s Council on Integrity and\nEfficiency.\n\n\n\n\n                                           16\n\x0cOIG Semiannual Report                                                   September 2003\n\n\n\n\n                        Investigative Operations\n\n\n                           Contacts/inquiries/investigations carried 3\n                             forward from previous reporting period\n\n                           Contacts initiated during reporting period   6\n\n                           Contacts closed                              7\n\n                           Investigative reports issued                 3\n\n                           Investigative subpoenas issued               1\n\n                           Matters referred back to the agency          3\n\n                           Management Implication Reports issued        1\n\n                           Matters remaining open                       2\n\n\n\nCLOSED INVESTIGATIONS\n\nIn the last reporting period, we reported on an investigation into allegations that an\nemployee was in violation of agency policy and a specific supervisory direction to reside\nwithin her assigned duty station. Because the employee\xe2\x80\x99s actual residence was\napproximately 100 miles from her claimed address, the travel vouchers she routinely\nsubmitted contained false information which resulted in her being paid a substantially\nhigher locality pay, and enabled her to obfuscate her actual hours of work. The United\nStates Attorney\xe2\x80\x99s office authorized the use of administrative Kalkines warnings for this\ninvestigation. During her interview with the OIG, the employee provided false testimony\nwhile under the Kalkines immunity agreement. NCUA management has advised the OIG\nthat due to other considerations it plans no action in this matter.\n\nAlso in the last reporting period, we reported on two investigations of false voucher\nclaims and related falsification of attendance at a required agency training conference.\nIn one case, the employee provided false testimony while under a Kalkines immunity\nagreement. The employee subsequently acknowledged the false statement during the\nsame interview. The agency suspended the employee for ten days. In the other case, the\nemployee admitted the false claim of attendance at the conference, as well as other false\nclaims. The agency suspended that employee for three days.\n\n\n\n\n                                           17\n\x0cOIG Semiannual Report                                                     September 2003\n\n\nDuring this reporting period, we completed two (2) investigations. In one investigation,\nthe employee was alleged to have had an inappropriate relationship with a former\nemployee of a credit union and to have released confidential information to that\nindividual. The investigation did not substantiate the allegation. However, in the course\nof the investigation, information was developed that the employee inappropriately\naccepted gifts from a credit union employee. The agency counseled the employee on the\nrelevant ethics rules and age ncy policy regarding acceptance of gifts.\n\nAnother investigation concerned allegations regarding the potential misuse of authority\nby an intra-agency committee designated to resolve policy disputes related to employee\nrelocations. The investigation determined that the committee had exercised authority\nwhich exceeded the specific authority delegated to it by the agency. The OIG issued a\nManagement Implication Report recommend ing that the agency establish a policy which\nclarifies the committee\xe2\x80\x99s authority. No intentional wrongdoing was identified.\n\nDuring this reporting period, we received three (3) referrals which we declined to\ninvestigate and returned to the agency for appropriate follow- up and action, as necessary.\n\nWe issued one (1) IG Investigative Subpoena during this reporting period.\n\nOPEN INVESTIGATIONS\n\nThe OIG has two (2) open investigations. One involves an ongoing initial inquiry into\nallegations of contract fraud by a government contractor. Additionally, we have one\nopen investigation into possible Privacy Act violations.\n\nAGENCY REFERRALS\n\nDuring this reporting period the OIG received thirteen (13) written requests for\ninvestigations of actions taken by credit unions. These matters were referred to the\nrespective regional offices for review and processing.\n\n\n\n\n                                            18\n\x0cOIG Semiannual Report                                                   September 2003\n\n\n\n            LEGISLATIVE AND REGULATORY REVIEWS\n\nSection 4(a) of the Inspector General Act requires the Inspector General to review\nexisting and proposed legislation and regulations relating to the programs and operations\nof NCUA and to make recommendations concerning their impact. Moreover, we\nroutinely review proposed agency instructions and other policy guidance, in order to\nmake recommendations concerning economy and efficiency in the administration of\nNCUA programs and operations and the prevention and detection of fraud, waste and\nabuse.\n\nDuring the reporting period, the OIG reviewed 19 items, including proposed and final\nchanges to legislation, regulations, and agency Interpretive Ruling and Policy Statements\n(IRPS).\n\n            SUMMARY OF STATUTES AND REGULATIONS REVIEWED\n\n       Legislation                                     Title\n H.R. 2622                 \xe2\x80\x9cFair and Accurate Credit Transactions Act of 2003\xe2\x80\x9d\n S. 1334                   \xe2\x80\x9cCheck Truncation Act of 2003\xe2\x80\x9d\n H.R. 975                  \xe2\x80\x9cThe Bankruptcy Abuse Prevention and Consumer Protection\n                           Act of 2003\xe2\x80\x9d\n S. 1359                   \xe2\x80\x9cInternational Money Transfer Disclosure Act and Money\n                           Wire Improvement and Remittance (WIRE) Act\xe2\x80\x9d\n H.R. 2724                 Proposed Amendments to \xe2\x80\x9cFair Credit Reporting Act\xe2\x80\x9d\n H.R. 2861                 \xe2\x80\x9cVA-HUD        and   Independent     Agencies     FY 2004\n                           Appropriations\xe2\x80\x9d\n H.R. 522                  Deposit Insurance Reform\n\n  Regulations/Rulings                                   Title\n 12 CFR Part 740           Final Rule: \xe2\x80\x9cAccuracy of Advertising and Notice of Insured\n                           Status\xe2\x80\x9d\n 12 CFR Parts 703, 742     Final Rule: \xe2\x80\x9cInvestment and Deposit Activities and\n                           Regulatory Flexibility Program\xe2\x80\x9d\n 12 CFR Part 709           Final Rule: \xe2\x80\x9cInvoluntary Liquidation of FCUs and\n                           Adjudication of Creditor Claims Involving Federally-Insured\n                           CUs in Liquidation\xe2\x80\x9d\n Final IRPS 03-02          Amendment to Change Definition of Small Credit Union\n                           Privacy Act Systems Notice/Board Action Memorandum\n 12 CFR Part 745           Proposed Rule: \xe2\x80\x9cShare Insurance\xe2\x80\x9d\n 12 CFR section            Interest Rate Ceiling\n 701.21(c)(7)(ii)(c)\n 12 CFR 723                Summary of Comments\xe2\x80\x94Proposed Rule on MBLs and\n                           Related Regulations\n\n\n                                           19\n\x0cOIG Semiannual Report                                          September 2003\n\n\n12 CFR Part 708a     Proposed Rule: \xe2\x80\x9cConversion of Insured CUs\xe2\x80\x9d\n12 CFR Parts 702, 704,\n                     Draft Final Rule: \xe2\x80\x9cPCA; Corporate Credit Unions; CUSOs;\n712, 723, 742        MBLs\xe2\x80\x99 Reg Flex Program\xe2\x80\x9d\n12 CFR section 701.20Proposed Rule: \xe2\x80\x9cSurety and Guaranty Agreements and Waiver\n                     Requests by FISCUs from the Maximum Borrowing\n                     Limitation\n12 CFR 748 and App.B Proposed Rule for Comment: \xe2\x80\x9cGuidance on Response\n                     Programs for Unauthorized Access to Member Information\n                     and Member Notice\xe2\x80\x9d\n\n\n\n\n                                     20\n\x0cOIG Semiannual Report                                                       September 2003\n\n\n\n                                      TABLE I\n\n                    INSPECTOR GENERAL ISSUED REPORTS\n                          WITH QUESTIONED COSTS\n\n                                                   Number of   Questioned     Unsupported\n                                                    Reports      Costs           Costs\n\nA.     For which no management\n       decision had been made by the                  0           $0               $0\n       start of the reporting period.\n\nB.     Which were issued during the\n       reporting period.                              0            0               0\n\n       Subtotals (A + B)                              0            0               0\n\nC.     For which management decision\n       was made during the reporting                  0            0               0\n       period.\n\n       (i) Dollar value of disallowed costs           0            0               0\n\n       (ii) Dollar value of costs not                 0            0               0\n       disallowed\n\nD.     For which no management\n       decision has been made by the end              0            0               0\n       of the reporting period.\n\nE.     Reports for which no management\n       decision was made within six                   0            0               0\n       months of issuance.\n\n\nQuestioned costs are those costs the OIG has questioned because of alleged violations of\nlaws, regulations, contracts, or other agreements; findings which at the time of the audit\nare not supported by adequate documentation; or the expenditure for the intended purpose\nis unnecessary or unreasonable.\n\nUnsupported costs (included in "Questioned Costs") are those costs the OIG has\nquestioned because of the lack of adequate documentation at the time of the audit.\n\n\n\n\n                                              21\n\x0cOIG Semiannual Report                                                  September 2003\n\n\n\n                                     TABLE II\n\n               INSPECTOR GENERAL ISSUED REPORTS\n      WITH RECOMMENDATIONS THAT FUNDS BE PUT TO BETTER USE\n\n                                                           Number of          Dollar\n                                                            Reports           Value\n\n A.    For which no management decision had been\n       made by the start of the reporting period.               0               $0\n\n B.    Which were issued during the reporting period.           0               0\n\n       Subtotals (A + B)                                        0               0\n\n C.    For which management decision was made\n       during the reporting period.                             0               0\n\n       (i) Dollar value of recommendations agreed to\n       by management.                                          N/A             N/A\n\n       (ii) Dollar value of recommendations not\n       agreed to by management.                                N/A             N/A\n\n D.    For which no management decision was made\n       by the end of the reporting period.                      0               0\n\n E.    For which no management decision was made\n       within six months of issuance.                           0               0\n\n\nRecommendations that "Funds to be Put to Better Use" are those OIG recommendations\nthat funds could be used more efficiently if management took actions to reduce outlays,\nde-obligate funds from programs/operations, avoid unnecessary expenditures noted in\npre-award reviews of contracts, or any other specifically identified savings.\n\n\n\n\n                                          22\n\x0cOIG Semiannual Report                                           September 2003\n\n\n\n                                TABLE III\n\n                     SUMMARY OF OIG ACTIVITY\n              APRIL 1, 2003 THROUGH SEPTEMBER 30, 2003\n\nPART I \xe2\x80\x93 AUDIT REPORTS ISSUED\nReport                                                              Date\nNumber     Title                                                    Issued\nOIG-03-06  Independent Evaluation of NCUA\xe2\x80\x99s Information Security    9/12/2003\n           Program\nOIG-03-07  OIG Report to OMB on NCUA\xe2\x80\x99s Compliance With The          9/12/2003\n           Federal Information Security Management Act\nOIG-03-08  Review of NCUA\xe2\x80\x99s Member Complaint Process                9/25/2003\nOIG-03-09  Management Advisory Report \xe2\x80\x93 King Street Parking         9/25/2003\n           Garage\n\nPART II \xe2\x80\x93 AUDITS IN PROCESS (as of September 30, 2003)\n           Review of NCUA\xe2\x80\x99s Parking Operations Agreement\n           Review of NCUA\xe2\x80\x99s Supervision of State Chartered Credit Unions\n\n\n\n\n                                      23\n\x0cOIG Semiannual Report                                              September 2003\n\n\n\n             INDEX OF REPORTING REQUIREMENTS\n\n SECTION                       DATA REQUIRED                        PAGE REF\n  4(a)(2)    Review of Legislation and Regulations                     19\n  5(a)(1)    Significant Problems, Abuses, or Deficie ncies            11\n             relating to the administration of programs and\n             operations disclosed during the reporting period.\n  5(a)(3)    Recommendations with Respect to Significant                11\n             Problems, Abuses, or Deficiencies.\n  5(a)(3)    Significant Recommendations Described in Previous          14\n             Semiannual Reports on Which Corrective Action Has\n             Not Been Completed.\n  5(a)(4)    Summary of Matters Referred to Prosecution               None\n             Authorities and Prosecutions, Which Have Resulted.\n  5(a)(5)    Summary of Each Report to the Board Detailing            None\n             Cases Where Access to All Records Was Not\n             Provided or Where Information Was Refused.\n  5(a)(6)    List of Audit Reports Issued During the Reporting          23\n             Period.\n  5(a)(7)    Summary of Particularly Significant Reports.               11\n  5(a)(8)    Statistical Tables on Audit Reports With Questioned        21\n             Costs.\n  5(a)(9)    Statistical Tables on Audit Reports With                   22\n             Recommendations That Funds Be Put To Better Use.\n  5(a)(10)   Summary of Each Audit Report Issued Before the           None\n             Start of the Reporting Period for Which No\n             Management Decision Has Been Made by the End of\n             the Reporting Period.\n  5(a)(11)   Description and Explanation of Reasons for any           None\n             Significant Revised Management Decision Made\n             During the Reporting Period.\n  5(a)(12)   Information Concerning Significant Management            None\n             Decisions With Which the Inspector General is in\n             Disagreement.\n\n\n\n\n                                        24\n\x0cOIG Semiannual Report                                      September 2003\n\n\n\n\n                        WE WANT TO HEAR FROM YOU\n\n\n\n                CALL THE OIG HOTLINE\n\n\n\n\n                        TOLL FREE 1-800-778-4806\n\n                        WASHINGTON METRO AREA\n                            703-518-6357\n       You may call ANONYMOUSLY, or request that YOUR call be kept\n                          CONFIDENTIAL\n\n\n\n\n                                   25\n\x0c'